Organizations today face numerous problems in dealing with large amounts of dynamically changing data. Among the common problems facing organizations today in this area are:                too much information for a mission risk perspective;        inherent insecurity of the Internet; and        impediments to the rapid adoption of the cloud.        
Too much information for a mission risk perspective creates a profound problem for modern organizations' complex information technology (IT) environments. Leaders are faced with so many tools, resources, dashboards, audit reports, bells, alarms and alerts that it is nearly impossible to distinguish which ones are important and which ones are unimportant to their specific mission goals. The call to continuously monitor and measure everything has resulted in massive quantities of data without context to the mission, with a difficulty in identifying where focus should be placed.
The fundamental difficulties of too much similar information, about too many items in multiple hierarchies, that changes too quickly for humans to understand what to do, create profound strategic, tactical, and operation problems for organizations. These problems are especially pronounced as organizations move to continuous monitoring of many systems for many data elements. Continuous monitoring systems in combination with many other commercial-off-the-shelf (“COTS”) tools like security, management and other reporting tools, all displaying executive dashboards, can create information overload. The decision makers of an organization have a need to know when their mission is impacted but are currently being overloaded with too much information, across too many layers, with unnecessary levels of granularity. This results in multiple management inefficiencies that in themselves can negatively impact the mission risk to the organization.
Examples of these management inefficiencies are:                Too many “red” alerts to respond correctly;        No way to understand the difference in mission risk between different tool dashboards;        Too many different tools to actually learn and use all of them correctly and wisely; and,        Each tool is designed to be used at different layers of the organization therefore giving decision leadership a confusing multi-layer array of problems to address, spread across many interfaces.        
The executive dashboards of all these tools coupled with the executive dashboards developed internally by the organization create the perfect scenario to embroil decision leaders in low level IT hardships that are not in themselves mission critical issues. This wastes an organization's time and money.
Organizations have long struggled with the ability to balance strategic planning with tactical action. Recently there has been a move toward decisions and automation of the decisions based on the massive amounts of data. Jumping ahead of an issue is often a very attractive and proactive response when faced with an alert or unknown trouble. There is a natural tendency for organizations to want to fix problems as quickly as possible, leading to a dependence on quick tactical solutions. The problem is that, for example, without a good understanding of how alert information is applicable to the organization's mission, decision services will be forced to take action without really understanding the mission impact of their actions. Action based on alerts that are not associated with strategic mission objects and concepts to give them weight and priority will result in a paralyzing grip on the resources of an organization.
Tactical actions need to be directed by organizational strategic objectives or the tactical objectives can quickly become inefficient. Tactical objectives based on alerts alone have the capacity to become even more destructive to an organization since there is an added sense of urgency associated with the event and solution. Siloed or stovepipe solutions, duplicated efforts, unneeded purchases of vender products designed to offset threats that are already mitigated by other methods or worse not critical to the organization's mission are some examples of how jumping to tactical action negatively effects the organization. In many ways tactics that are not part of a greater strategic plan could be a greater threat to the mission of an organization then the threat the tactics aim to mitigate by robbing the organization of the precious resources of people, time and money. Tactics without mission strategy may be one of the largest threats to mission assurance an organization faces.
One of the emerging issues in the continuous monitoring field is how to take action using the massive amounts of data being collected by the machines designed to collect. Machines, however face faet the same dilemma that organizational leaders face; what should I do first and why? This situation leads to priority of action based on severity of the alert and asset along and drives many policy, purchase and programmatic initiatives to solve these problems based only on an alert from the data. The problem is there are more problems than resources and ranking of problems are often not associated with the mission goals of the organization. For example, a given alert can be a critical issue for mission assurance in organization A but of no importance to the mission assurance of organization B, while the vulnerability and critical flaw is equal in importance in both organizations, and would be ranked very high by both organizations' continuous monitoring systems, driving organization B to waste effort in unnecessarily resolving the alert.
Organizational mission strategy is fundamental to aligning the tactics for solving problems. One of the greatest threats to the mission of an organization is security tactics designed to mitigate a threat but impact the ability of the organization to operate efficiently. These tactical or worse, operational reactions can become great hardships for the organization requiring many layers of bureaucratic approvals with business justifications to overcome. This is further amplified if systems are used to simply mitigate security vulnerabilities automatically that in some cases could create a business block or hurdle without warning.
The inherent insecurity of the internet is the result of the openness and interconnectivity of the internet. The troubling issue with any networked environment is that other people are on it. The opportunity and the threat live in the same dimension, mitigate one and lose the other. For this reason, organizations are faced with a difficult dilemma when implementing new technology ideas and concepts such as cloud computing. This openness provides both an opportunity and threat for organizations trying to secure their environment. This openness can lead to troubling situations, including the inability or great difficulty to reliably determine the source or attribution of cyber-attacks given the mass of data that may reflect hostile surveillance and action. By its very openness, it becomes difficult to identify who is sharing communications paths with an organization's data.
Many organizations are starting to focus on offensive cyber opportunities as a way of defending the organizations assets. While the merits of this approach are not in question, technology and techniques used for attributing exactly who is the offending party is in question. The more advanced the threat the more likely it will be with current technology that an organization does not fully understand what is happening. Ironically this plays out as an inverse relationship where an organization is most likely to attribute an attack to the wrong party where the attack poses the most risk to mission, while being most likely to attribute the correct party to an attack with the least risk to the mission. Much of an organization's inability to understand what is happening is due to an inability to connect the dots within its own assets, and lack of workflows around a solid architecturally layered audit and monitoring plan. Primary this is due to the lack of a tool that combines business logic with technical and human workflows to achieve mission tolerable objectives across the enterprise.
Most compliance toolsets and checklists focus on one aspect and only one aspect of security—“compliance.” While compliance is important, seldom is an organization operating with the core mission of only being compliant with standards and laws and nothing else. Further, these tools and lists do not address the multi-layer complexity most organizations possess in terms of assets, configuration, regulatory dictates, international laws and differences in laws, etc. It can be argued that by achieving compliance an organization achieves the rest of the security needed. This could be true some of the time. However, most control lists are designed with a one or a few sizes fits all philosophy, and fail to realize enterprise security reaches far beyond the computer system into the people and operations of the business.
Finally, the rapid adoption of the cloud by organizations has resulted in the rebirth of many security issues that were once contained by organizational domain protections. The rapid adoption of cloud computing has complicated the existing enterprise issues with yet one more layer of complexity. Many of the leaders and IT administration of organizations have never faced these issues since their predecessors were the ones who established the prior existing environment with its protections. As a result, such organizations, by adopting the cloud, may be extending their mission into dangerous territory without understanding the full impact.
Cloud computing adoption has also highlighted the challenges with implementing, deploying and using public, private, and hybrid cloud environments. The primary challenges include security, interoperability, and portability, while secondary challenges include optimization of resource utilization and integration of cloud systems management with business processes. Cloud computing adoption is further hindered by the inherent complexity of effectively measuring, monitoring, and evaluating the security of an environment and then turning that analysis and security policy into secure administrative actions and time bound actionable security improvements ranked by the organizations risk tolerance. This problem is further exacerbated with public clouds, and the inherent insecurity of the internet coupled with the lack of visibility into a public cloud service provider's environment.
What is required is an approach that uses the output of existing security monitoring and systems management tools to make decisions based on the customer's risk tolerance, security policies, and business processes. Many times these decisions are executed across multiple disparate third party tools designed to interact and control the existing environment. This creates a “multiple panes of glass” problem, and may result in gaps or overlaps within a toolset that further conceal the true state of the environment. The objective approach must provide a rationale means for orchestration of these disparate tools, creating a single view of the environment across them, to include harvesting and managing the rich metadata associated with security objects within the environment. Where these tools themselves provide orchestration and automation of security and systems management activities, they must be choreographed (orchestration of multiple centers of orchestration) to result in harmonious and consistent operations. This orchestration and integration must also include a mechanism for defining security attributes and policies, and then function as a policy decision point as appropriate, with policy enforcement driven back into the individual tools thru appropriate interfaces. The concept of distributed transactions must also be respected where synchronization of action across multiple endpoints is required (for example, all must complete otherwise none complete).
Consequently, organizations need new mechanisms for effectively and efficiently monitoring, harvesting and assessing large amounts of dynamically changing data and then automating actions, such as security decisions, based on this effective assessment. Current monitoring technologies work against relatively flat simple hierarchies with all data in a relation model. Such technologies and the use of flat simple hierarchies consequently limit the depth of hierarchies from the standpoint of complexity of the data model and queries that must be run against the data models. The breadth of the hierarchies are also limited due to performance limitations from complex queries. Attempts to use a relational model to implement a capability of dynamically detecting changes in extremely large datasets have failed due to relationship and query complexity. Consequently, organizations need a different model for effectively and efficiently monitoring, harvesting and assessing large amounts of dynamically changing data.
Security policy and attributes should be defined through a rational process and framework that quantifies an organization's risk tolerance. Security frameworks such as the Sherwood Applied Business Security Architecture (SABSA) provide a mechanism for achieving this definition, and serve as a foundation for delivering National Institute of Standards and Technology (NIST)-compliant security configurations for multi-tenanted public/private/hybrid cloud environments. This will significantly simplify security certification and management and, when coupled with the choreography/orchestration/integration approach described above, allow the environment to dynamically evolve at runtime to serve new customers and applications based on customer risk tolerance coupled with security policy, and minimize the risk of unauthorized operations occurring.
Cloud computing has offered us a unique opportunity to build an approach that can be leveraged. This approach has the potential to provide significant new capacity to any customer environment that wishes to measure, monitor, analyze, and automate security decisions based on tolerance and security policy. This becomes particularly important when the organization is dealing with security classifications of data and the security policy and rules around those data classifications, as the approach will have the capacity to and monitor the authorizations for access to this data.